The United Kingdom is considering legislation that would make it a criminal offense to lose a laptop containing unencrypted personal data. We have all heard the horror stories about laptops being lost or stolen that contain thousands of social security numbers, credit card data, or other personal information. Here’s an excerpt from the Computerworld UK article:
[Deputy Information Commissioner David] Smith told the Lords constitution committee that an example might be a doctor leaving a laptop containing personal details of patients in a car. It was “hard to say [this was] anything other than criminal negligence”, he said… [Commissioner Richard Thomas reported] that criminal sanctions should be used where a laptop had “a lot of personal information that hasn’t been taken care of and hasn’t been encrypted”. Doctors and others carrying sensitive information on portable devices “should know the basics of encryption”, he told the committee.
We have a fair number of laptops in our school district. Most administrators have them. Many special ed teachers use them, as do school psychologists, speech pathologists, and others addressing special needs in multiple school buildings. In most cases, these people have a need for data portability. They work in several different buildings, or they need to work on education plans and reports from home. All of them have access to confidential and potentially sensitive information. But almost none of them know anything about the basics of data encryption.
Our approach thus far has been two-fold. On one hand, we try to minimize the number of portable computing devices we have. If we have an elementary school guidance counselor who works in two schools, it’s actually less expensive for us to put a desktop computer in each school for her than it is to get her a laptop. When you factor in the higher acquisition cost, higher maintenance and support costs, and lower anticipated product life, a laptop is more than twice as expensive as a desktop. While data security hasn’t really factored in to these decisions in the past, it does benefit from them.
The other thing we do to protect data is to store it centrally. The software used to manage student Individualized Education Plans, for example, is stored in a centralized database. While laptops are used to connect to this database, the data isn’t stored on the laptop. This isn’t a foolproof solution, but it helps tremendously to reduce the amount of data on these portable devices.
We should be using TrueCrypt as well. This free software does a really good job of encrypting data and storing it securely. Essentially, the data is stored on the computer’s hard drive in an encrypted file. In order to access it, the computer user runs the program and types in the passphrase. If you enter it correctly, the encrypted file shows up as another drive on the computer, just like a flash drive. You can then copy files to and from it normally. This is good software, and it works well. But if you forget your password, you’re out of luck. If a staff member changes jobs, or goes on a leave of absence, there’s no way for the district to recover that data. With a staff that sometimes has a lot of difficulty with pretty basic technology tasks, that’s a pretty high tightrope to walk without a safety net. But maybe it’s time now to tighten things down a bit in the data security department.